Install Sendmail with DKIM on Raspbian Stretch

I have a little Raspberry Pi that I hope will be the home of the future pididu.com . It runs Raspbian Linux, which is basically Debian. Here are the steps I followed to get Sendmail working with DomainKeys Identified Mail (DKIM). I admit that this is something that most people will not need, so feel free to skip this article.

The lone dot at the beginning of the last line closes and sends the message. Check Yahoo mail to see that the message was received. Note that I don’t use gmail for this test, which might reject mail from an unknown source as spam.

k1 is the name I chose for the selector. pididu.com is my domain, but of course, you would substitute your own in its place. Two files will be generated:k1.private – private key information which should never leave the server, andk1.txt – information to add to the zone file on my DNS server. The contents of this file are

k1._domainkey IN TXT "v=DKIM1\ ; k=rsa\ ;p=MIG ... IDAQAB"\;

A whole bunch of characters have been omitted above for brevity. k1._domainkey is the hostname for the record, and all the stuff between the quotation marks is the content of the record. You must add this record to your DNS server. With some hosts, you can enter this information yourself; with others, you must ask their technical support to enter it for you. To check that the record has been added correctly:

dig k1._domainkey.pididu.com txt +short

which should show the record previously entered.

The installation of opendkim should have created an opendkim user. Verify:

grep opendkim /etc/passwd

which should return something like

opendkim:x:129:129::/usr/run/opendkim:/bin/false

Make sure that the opendkim user can access the key file:

sudo chown opendkim:opendkim /etc/opendkim/k1.private

Test the domain key:

opendkim-testkey -d pididu.com -s k1 -v -k /etc/opendkim/k1.private

If that silently returns to the prompt, the key is okay. Now set up opendkim to listen on a socket. This is not the only way to do this, just one way:

sudo vi /etc/default/opendkim

There may be a line starting with SOCKET= in there as the default. Comment that out, and uncomment the line of the form SOCKET=inet:12274@localhost . The port number does not have to be 12274 – choose one to suit yourself. Save and quit.

Note that the above must be done again any time the file /etc/default/opendkim is changed. This may no longer be required in future versions of opendkim. I hear a bug report has already been filed.

Now configure sendmail to use opendkim to sign outgoing mail.

sudo vi /etc/mail/sendmail.mc

and append this line to the end:

INPUT_MAIL_FILTER(`opendkim', `S=inet:12274@localhost')

Note that in the above, a grave accent opens the quote, and an apostrophe closes it. Also, the port (12274 in the above case) must match the port previously chosen for opendkim. After saving the file, run

sudo m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

For some reason, the above did not work on the Raspberry Pi that I had set up with a non-default administrator account, saying I didn’t have permission to write the output file. So what I did was:

sudo su
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
exit

Restart sendmail:

sudo service sendmail restart

Then send another message to your Yahoo or other mail, as before. To confirm that things went well, look at the system log for sendmail and opendkim activity:

tail /var/log/mail.log

Also, open the message under Yahoo mail, and view the “raw message” (it might be called “full headers” or something else, depending on your mail service). It should have a line something like this showing DKIM pass: